Remote Access vpn connection via pix to VPN Concentrator on Dmz

Answered Question
Jul 8th, 2010

hello everyone,

Can you pls help out with the vpn design, I have the public on the vpn concentrator 3000  connected to the pix dmz (sec30), inside interface (sec100)  connected to Campus and the other end of my vpn concentrator connectted to another interface on the pix with sec 80. Is the design okay and how do i allow ike and ipsec traffic through the the pix to the the concentrator on the pix DMZ.

Thank you

deeperdeeper

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 6 years 5 months ago

If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:

For example if VPN Concentrator public interface is 200.1.1.1, on the ASA, you would configure:

static (dmz,outside) 200.1.1.1 200.1.1.1 netmask 255.255.255.255

Then you would need to configure ACL on the ASA outside interface to allow the following:

- ESP protocol

- UDP/500

- UDP/4500

The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.

Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.

BTW, why don't you just terminate the VPN on the PIX itself?

Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jennifer Halim Fri, 07/09/2010 - 04:58

If the VPN Concentrator is configured with public ip address, then you would need to configure the static NAT to itself as follows:

For example if VPN Concentrator public interface is 200.1.1.1, on the ASA, you would configure:

static (dmz,outside) 200.1.1.1 200.1.1.1 netmask 255.255.255.255

Then you would need to configure ACL on the ASA outside interface to allow the following:

- ESP protocol

- UDP/500

- UDP/4500

The above is the default IPSec ports, however, VPN Concentrator also supports UDP/10000 and TCP/10000, so if you use those ports, you might want to enable those as well.

Then for the clear text traffic from the private interface of the VPN Concentrator towards the inside network, you would also need to configure static statements and ACL to allow those clear traffic after it is being decrypted.

BTW, why don't you just terminate the VPN on the PIX itself?

Just FYI, VPN Concentrator is coming EOL as per the following EOL notification:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Hope that helps.

Actions

This Discussion